diff --git a/ansible/roles/common/handlers/main.yml b/ansible/roles/common/handlers/main.yml index 350609b..259efaf 100644 --- a/ansible/roles/common/handlers/main.yml +++ b/ansible/roles/common/handlers/main.yml @@ -7,3 +7,7 @@ - name: Reload ufw community.general.ufw: state: reloaded + +- name: Reload systemd daemon + ansible.builtin.systemd: + daemon_reload: true diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml index a088acd..5e3dee4 100644 --- a/ansible/roles/common/tasks/main.yml +++ b/ansible/roles/common/tasks/main.yml @@ -126,3 +126,39 @@ community.general.ufw: state: enabled when: common_ufw_enabled | bool + +# --- Cleanup: orphaned cloudflared (PESO-138) --- +# Cloudflare Tunnels were retired in favour of Caddy + Authelia (PESO-134, #56), +# which removed cloudflared from ansible config. copenhagen-a was unreachable at +# the time, so its cloudflared.service was never actually stopped and is still +# running. Remove it wherever the unit lingers. copenhagen-c legitimately runs a +# hand-configured cloudflared tunnel — never touch it. +- name: Detect lingering cloudflared unit + ansible.builtin.stat: + path: /etc/systemd/system/cloudflared.service + register: common_cloudflared_unit + when: inventory_hostname != 'copenhagen-c' + +- name: Remove orphaned cloudflared + when: + - inventory_hostname != 'copenhagen-c' + - common_cloudflared_unit.stat.exists | default(false) + block: + - name: Stop and disable cloudflared + ansible.builtin.systemd: + name: cloudflared + state: stopped + enabled: false + failed_when: false + + - name: Remove cloudflared systemd unit + ansible.builtin.file: + path: /etc/systemd/system/cloudflared.service + state: absent + notify: Reload systemd daemon + + - name: Uninstall cloudflared package + ansible.builtin.apt: + name: cloudflared + state: absent + purge: true